News

SMEs failing to prioritise cyber security, study shows

Warwick Ashford

Senior managers at small and medium enterprises (SMEs) are failing to prioritise cyber security, preventing them from establishing a strong IT security posture, a study reveals.

Many SMEs are at risk because of uncertainty over their security and cyber-attack threats, according to a study by the

Requires Free Membership to View

Ponemon Institute.

The Risk of an Uncertain Security Strategy study polled 2,000 SMEs globally, of which 58% of respondents said management does not see cyber attacks as a significant risk to their business.

Some 44% report IT security is not a priority, while 42% said their budget is not adequate for achieving an effective security posture and only 26% said their IT staff have sufficient expertise.

Despite this, IT infrastructure and asset security incidences, and wider security-related disruptions, were found to have cost these SMEs a combined average of $1.6m (£990,000) in the past 12 months.

The study also revealed a third of respondents were uncertain if a cyber attack had occurred in the past 12 months, and 42% said their organisation had experienced a cyber attack in the past 12 months.

The research, sponsored by UK-headquartered security firm Sophos, also identified that those in a more senior position were likely to be more uncertain of the seriousness regarding a potential threat.

“The scale of cyber attack threats is growing every day,“ said Gerhard Eschelbeck, chief technology officer at Sophos, “yet this research shows that many SMEs are failing to appreciate the dangers and potential losses they face from not adopting a suitably robust IT security posture.”

According to the research, there are three main challenges preventing the adoption of a strong security posture: failure to prioritize security, insufficient budget and a lack of in-house expertise.

In many SMEs there is also no clear owner responsible for cyber security, with 32% of respondents saying the CIO is responsible for setting priorities, while 31% said no single function is responsible.

“Today in SMEs, the CIO is often the only information officer, managing multiple and increasingly complex responsibilities within the business,” said Eschelbeck.

“However, they can’t do everything on their own and as employees are demanding access to critical apps, systems and documents from a diverse range of mobile devices, it would appear security is often taking a back seat,” he said.

The study also reveals uncertainty around whether BYOD (bring your own device) policies and the use of the cloud are likely to contribute to the possibility of cyber attacks.

Some 77% of respondents said the use of cloud applications and IT infrastructure services will increase or stay the same over the next year, but a quarter said they did not know if this was likely to impact security.

Similarly, 69% said mobile access to business critical applications would increase in the next year, despite only half believing this will diminish security postures.

“Small and midsize organisations simply cannot afford to disregard security,” said Larry Ponemon, president of the Ponemon Institute.

“Without it, there is more chance that new technology will face cyber attacks, which is likely to cost the business substantial amounts,” he said.

According to Larry Ponemon, CIOs are under pressure to implement new technology that informs agile and efficient ways of working, but this should not take precedence over security.

“The industry needs to recognise the potential dangers of not taking cyber security seriously and create support systems to improve SMB security postures,” he said.

The study found that uncertainty about security strategy and the threats faced by organisations varies by industry, with respondents in financial services reporting greater confidence.

The technology sector is also more security aware, but retailing, education and research, and entertainment and media are subject to the highest level of uncertainty.

The report recommends that SMEs:

  • Concentrate resources on monitoring their security situation to make intelligent decisions.
  • Establish mobile and BYOD security best practices. 
  • Look for ways such as a move to cloud and security consulting to bridge the gap created by a shortage of information security professionals.
  • Measure the cost of cyber attacks and work with senior management to make cyber security a priority.
  • Invest in solutions that restore normal business activity faster for a high return on investment.
  • Consider consolidated security management to gain a more accurate picture of threats to help focus on problem areas.